Jump to content

Prepared statement changes value of SHA1 vs. non-prepared


Go to solution Solved by Ch0cu3r,

Recommended Posts

Here's the non-prepared MySQLi procedural code for registering a user - the appropriate parts are for the password ($p) protection:

 

.

.

    $trimmed = array_map('trim', $_POST);

    // Assume invalid values:
    $fn = $ln = $e = $p = FALSE;
.

.

    // Check for a password and match against the confirmed password:
    if (preg_match ('/^\w{4,20}$/', $trimmed['password1']) ) {
        if ($trimmed['password1'] == $trimmed['password2']) {
            $p = mysqli_real_escape_string ($dbc, $trimmed['password1']);
        } else {
            echo '<p class="error">Your password did not match the confirmed password!</p>';
        }
    } else {
        echo '<p class="error">Please enter a valid password!</p>';
    }
.

(identical code up to here in both scripts - actually, untouched)

.

            $qa = "INSERT INTO nm_users (email, pass, first_name, last_name, active, registration_date) VALUES ('$e', SHA1('$p'), '$fn', '$ln', '$a', NOW() )";
            $ra = mysqli_query ($dbc, $qa) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc));
.

.

(end this part of script)

 

When logging in to the saved password, it works perfectly. I decided to use prepared statements instead, so here is the equivalent code:

 

.

.

            $pw = SHA1('$p');

            $qa = "INSERT INTO nm_users (email, pass, first_name, last_name, active, registration_date) VALUES (?, ?, ?, ?, ?, NOW() )";

 

            $ra = mysqli_prepare($dbc, $qa) or trigger_error("Query: $qa\n<br />MySQL Error: " . mysqli_stmt_error($dbc));

            mysqli_stmt_bind_param($ra, 'sssss', $e, $pw, $fn, $ln, $a);  

            mysqli_stmt_execute($ra);

            mysqli_stmt_close($ra);

 

(end this part of script)

 

The prepared code vs.the standard code generates a different hex value for the same passwords ($p) even before the prepared statements start! How can this be? There were no changes to the front code. And when logging in after successful registration and activation, the same password used to register is rejected as you'd expect.

 

Does anyone know what's going on here?

 

 

  • Solution

Remove the single quotes around $p

$pw = SHA1('$p');

Variables are not parsed inside of single quotes.

 

Also if you're using prepare statements then there is no need to use mysqli_real_escape_string

Edited by Ch0cu3r
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.